1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unbound: Should it be used in Tomato for DNS caching (and DNSSEC validation)?

Discussion in 'Tomato Firmware' started by GrayWolf, Nov 25, 2012.

  1. GrayWolf

    GrayWolf Serious Server Member

    On a couple of Mac and Linux machines, I have been using Unbound software for DNS caching. I like, and previously used, Dnsmasq (the Tomato default) for this purpose, but I find Unbound superior in several ways. Unbound is fast, uses low resources and does the complex, but increasingly necessary, DNSSEC validation (which will become more used with time, even among the non-paranoid!). It would be great to have Unbound running on my Asus RT-66U Tomato by Shibby (V102) router instead of on several client machines.

    With out restarting any silly arguments of the past, Dnscrypt which is available is a useful, additional software that can work to help prevent tampering with vital DNS accuracy in a different, but complementary way, to that of Unbound (i.e. DNSSEC).

    Together an Unbound-Dnscrypt solution would, to my mind, an excellent, appropriate & secure solution for many types routers, including the Tomato-types. (If anyone has successfully compiled Unbound for a MIPS2 router, please let me know!)

    What does the open source router community think and how much interest is there in this? Would it be a good idea to have Unbound pre-compiled in optware repositories (and elsewhere) to promote its' greater use?
     
  2. counterpoint

    counterpoint Serious Server Member

    I very much agree. Did you make any progress with this?
     
  3. GrayWolf

    GrayWolf Serious Server Member

    Unfortunately, there has been no progress on this either personally or by the open-source community that I can see. Porting Unbound seems non-trivial for a MIPS2-based router. Maybe I should message Shibby (the guru behind the Shibby branch of Tomato firmware) in Poland? Other than that, I am not sure how to stir up more interest in this topic. I still maintain this preference for Unbound over other DNS solutions.

    In my home network's router, I point Dnsmasq to a Mac, which is resolving DNS queries with Unbound. I use the "--all-servers" and "--cache-size=1500" parameters in dnsmasq.conf on the router, because according to the Dnsmasq man pages "By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag [--all-servers] forces dnsmasq to send all queries to all available servers [simultaneously]. The reply from the server which answers first will be returned to the original requester." This solution generates more DNS traffic, but appears to work fairly well as Unbound on the Mac is caching my DNS traffic well.
     
  4. rhester72

    rhester72 Network Guru Member

    Hrm. I use Unbound on Tomato. Where's the issue?

    Rodney
     
  5. GrayWolf

    GrayWolf Serious Server Member

    That's great news, Rodney. Could you kindly post a link to the MIPS2 binary that you are running so I can use it too? (As I mentioned before, I am running an Asus RT-66U router).

    I cannot see an Unbound binary within the optware repository anywhere, or elsewhere. Did you compile it yourself from source? Give any other juicy hints regarding installing, using and configuring Unbound on a Tomato-based router, etc. (optimal size of RAM-based DNS cache, etc). Thanks indeed!
     
  6. GrayWolf

    GrayWolf Serious Server Member

  7. rhester72

    rhester72 Network Guru Member

    I'm using unbound more for DNSSEC than performance, so it's tuned for a small memory footprint rather than performance. I'm "daisy chaining" dnsmasq to it, so I run unbound on port 40 and have the following settings in dnsmasq:

    cache-size=0
    proxy-dnssec
    server=::1#40
    strict-order

    My configuration:

    Code:
    server:
        pidfile: "/var/run/unbound.pid"
        port: 40
        auto-trust-anchor-file: "/opt/etc/unbound/root.key"
        prefetch: yes
        num-threads: 1
        outgoing-num-tcp: 1
        incoming-num-tcp: 1
        outgoing-range: 60
        msg-buffer-size: 8192
        msg-cache-size: 100k
        msg-cache-slabs: 1
        rrset-cache-size: 100k
        rrset-cache-slabs: 1
        infra-cache-numhosts: 200
        infra-cache-slabs: 1
        key-cache-size: 100k
        key-cache-slabs: 1
        neg-cache-size: 10k
        num-queries-per-thread: 30
        target-fetch-policy: "2 1 0 0 0 0"
        harden-large-queries: "yes"
        harden-short-bufsize: "yes"
    
    Rodney
     
  8. Inkrypted

    Inkrypted Serious Server Member

    I would love to get in on this. I have a 4 GB thumb drive and I found a guide on getting optware on it here.
    http://tomatousb.org/tut:optware-installation
    I am a little fuzzy as to getting Unbound on it though. I currently run Unbound on My Fedora desktop. Any help would be greatly appreciated.
     
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    What Rodney graciously provides are precompiled static binaries. That means you (normally!) don't need optware (or, preferably, entware) running to use them. All the libraries the program needs is bound up into the executable, which is why they're called static binaries.
     
  10. Inkrypted

    Inkrypted Serious Server Member

    I tried downloading and copying the files to the /opt partition and used the Dnsmasq settings and config file he provided but I could not get it to work. Very cool that he provided the binaries. I have no idea why it did not work for me.
     
  11. Inkrypted

    Inkrypted Serious Server Member

    Thanks for the heads up about Entware Monk E Boy.
     
  12. lancethepants

    lancethepants Network Guru Member

    I had one question regarding your setup. I've got unbound working, but discovered one issue. It's the same issue I've experience previously when using DNSCrypt.

    In order to have dnssec enabled, the router needs the correct time to validate the certificates. And in order to get the time, the router needs functioning DNS. aka Chicken/Egg scenario. I'm using the 'hostip' utility from DNSCrypt to resolve NTP servers before DNS can be activated. Just wondering if you did the same, or placed static IP for NTP servers, or something else.
     

Share This Page